Government Technology

The Smart Grid Needs to Get Smart About Security



hacking smart meters
hacking smart meters

May 27, 2010 By

"Hacking" a smart meter or an entire grid requires no physical access -- just access to the same Internet connections used to manage the network. Reprinted with permission of MuniWireless.

With all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand-alone power facilities and substations connected with point-to-point microwave communication links (many times upgraded to their own dark fiber point-to-points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on you own island with your own power and communications grid and everything was just fine.

Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs to begin learning this. (See Inside PGE's Smart Grid Lab -- Chris Knudsen, director of the technology innovation center at PG&E, shows what they're tinkering with).

Utility Meter

It didn't take long for problems to occur. Again, you need to understand that even smart meters were just dusted off 20-year-old designs that were lying around waiting for someone to push the power companies into the 21st century. These designs were never meant to securely send and store data real time. It wasn't long before serious security issues were found and were reported by respected security firms like InGuardian and IOactive. And we are not talking about someone hacking your PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC," said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco. So now with little knowledge of the Internet and security the power companies have billions of dollars of grants in hand with one big problem. The grants mandate an iron-clad security platform.

To add to the smart-grid security problems some people think the power grid is the main target in the new battle in cyber wars. Richard Clarke, the former federal anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent Newsweek article, Clarke was quoted as saying, "The U.S. government, [National Security Administration], and military have tried to access the power grid's control systems from the public Internet. They've been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That's the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures."

So what can we do to secure the grid now while upgrading it to smart-grid capabilities?

Ed Smith, CEO of WirelessWall has one word, "Attack." Having a military background he understands that you begin an


| More

Comments

Niall McShane    |    Commented May 29, 2010

Larry - you correctly highlight the broader security issue associated with the grid, not just the issue of personal privacy but the concern about a coordinated attack designed to bring down the grid. The first thing to note here is that the capability for such an attack already exists today as evidenced by the examples you quote in your article.

Clearly we need to improve security around the grid to try to ward off such attacks but we should also recognize that we will never reach the point where the grid is secured.

As in other fields, security is a game between the system operators and the hackers with each constantly trying to stay ahead of the other and no way to completely lock down a system and protect it from all possible attacks.

This is why we need to start the process of re-architecting the grid into smaller, localized microgrids that are loosely coupled in a federation to help balance supply and demand across wider geographic areas but which can also island from the macrogrid to prevent the propagation of faults. In this way we move from a single large target that can be attacked and that will then propagate the fault throughout the network to a large number of much smaller targets.

This is the most effective way to secure the grid from the types of attacks that you are highlighting.

Niall McShane    |    Commented May 29, 2010

Larry - you correctly highlight the broader security issue associated with the grid, not just the issue of personal privacy but the concern about a coordinated attack designed to bring down the grid. The first thing to note here is that the capability for such an attack already exists today as evidenced by the examples you quote in your article.

Clearly we need to improve security around the grid to try to ward off such attacks but we should also recognize that we will never reach the point where the grid is secured.

As in other fields, security is a game between the system operators and the hackers with each constantly trying to stay ahead of the other and no way to completely lock down a system and protect it from all possible attacks.

This is why we need to start the process of re-architecting the grid into smaller, localized microgrids that are loosely coupled in a federation to help balance supply and demand across wider geographic areas but which can also island from the macrogrid to prevent the propagation of faults. In this way we move from a single large target that can be attacked and that will then propagate the fault throughout the network to a large number of much smaller targets.

This is the most effective way to secure the grid from the types of attacks that you are highlighting.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers